F-2024-0005·incorrect-validation-order

Hardcoded value for validAfter argument could prevent users from initiating a subscription at a later time

Fixedaccount-abstractionerc-4337subscriptiongithub.com/bastion-wallet
TL;DR

validAfter is hardcoded to block.timestamp in registerSubscription, blocking users from scheduling a subscription that should start at a chosen future time.

Severity
MEDIUM
Impact
MEDIUM
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

In the registerSubscription() function the validAfter parameter is hardcoded to block.timestamp, which would not allow a user to create a subscription, starting at a certain time in the future.

solidity
function registerSubscription(
  address _subscriber,
  uint256 _amount,
  uint256 _validUntil,
  uint256 _paymentInterval,
  address _erc20Token
) public {
  require(_amount > 0, "Subscription amount is 0");
  require(_paymentInterval > 0, "Payment interval is 0");
  require(msg.sender == _subscriber, "Only the subscriber can register a subscription");


  ISubExecutor.SubStorage memory sub = ISubExecutor.SubStorage({
    amount: _amount,
    validUntil: _validUntil,
    validAfter: block.timestamp,
    paymentInterval: _paymentInterval,
    subscriber: _subscriber,
    initiator: address(this),
    erc20TokensValid: _erc20Token == address(0) ? false : true,
    erc20Token: _erc20Token
  });
}
03Section · Impact

Impact

Users cannot schedule a subscription to start later than the current block, removing useful scheduling functionality and forcing same-block activation only.

04Section · Recommendation

Recommendation

Consider introducing an input argument called _validAfter and passing it for validAfter, including a check that the input value is larger or equal to the block.timestamp:

diff
function registerSubscription(
  address _subscriber,
  uint256 _amount,
  uint256 _validUntil,
+ uint256 _validAfter,
  uint256 _paymentInterval,
  address _erc20Token
) public {
+ require(_validAfter >= block.timestamp, "Sub cannot be valid after a time in the past")
- validAfter: block.timestamp,
+ validAfter: _validAfter,
05Section · Resolution

Resolution

Team Response: Acknowledged and fixed as suggested.

Status
Fixed
Fix commit
79cddfeb6070
ZEALYNX SECURITY · published 2024-03-01
F-2024-0005

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx